Sorry for dumb question but just want to make sure!
@jay_b : Firewall rules will apply to all MX networks in the organization that participate in site-to-site VPN (both AutoVPN and Non-Meraki)
https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Firewall_Rule_Behavior
Thank you Inderdeep. In document it says : As such, the MX cannot block VPN traffic initiated by non-Meraki peers. So as example: If I put deny all rule , will site to site VPN still work or it will hit deny all ?
@jay_b By default, everything inbound is going to be blocked by default unless it's allowed by port forwarding or a 1:1 NAT rule for example, and of course any return traffic is allowed back inbound like any stateful firewall.
So you are going to block outbound traffic with Firewall rules..
Check layer 3 firewall rules,
Hello @Inderdeep
Thanks for your response. Sorry If I am not explaining clearly. Let me explain it again.
As example : I have new fresh firewall.
1) I implemented 5 site-to-site VPN tunnels to AWS/Azure/GC.
2) Added allow TCP any any 80
3) allow TCP any any 443
4) deny any any
Now my question is Do I have to add rule to allow individual tunnel's ip address ? like
allow any any tunnel1 IP address
allow any any tunnel2 IP address
L3 firewall doesnt work on vpn traffic
L3 Vpn firewall works on outgoing vpn traffic only.(traffic inside the tunnel)
@ww Thanks for quick response. That makes sense. So there won't be any affect on VPN. Awesome. Thanks